A PSR-15 middleware to secure your site with SameSite cookies 🍪
- PHP 8.1+
composer require selective/samesite-cookie
Same-site cookies ("First-Party-Only" or "First-Party") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
Warning: SameSite cookies doesn't work at all for old Browsers and also not for some Mobil Browsers e.g. IE 10, Blackberry, Opera Mini, IE Mobile, UC Browser for Android.
Further details can be found here:
- SameSite cookies explained
- CSRF is (really) dead
- PHP setcookie “SameSite=Strict”?
- How to Set a cookie attribute Samesite value in PHP ?
- Can I use SameSite?
<?php
use Selective\SameSiteCookie\SameSiteCookieMiddleware;
use Slim\Factory\AppFactory;
$app = AppFactory::create();
// ...
// Register the samesite cookie middleware
$app->add(new SameSiteCookieMiddleware());
// ...
$app->run();
Example with configuration and the session starter middleware.
Slim 4 uses a LIFO (last in, first out) middleware stack, so we have to add the middleware in reverse order:
<?php
use Selective\SameSiteCookie\SameSiteCookieConfiguration;
use Selective\SameSiteCookie\SameSiteCookieMiddleware;
use Selective\SameSiteCookie\SameSiteSessionMiddleware;
use Slim\Factory\AppFactory;
$app = AppFactory::create();
// ...
// Optional: Add custom configuration
$configuration = new SameSiteCookieConfiguration();
// Register the samesite cookie middleware
$app->add(new SameSiteCookieMiddleware($configuration));
// Optional: Start the PHP session
// Use this middleware only if you have no other session starter middleware
$app->add(new SameSiteSessionMiddleware());
// ...
$app->run();
The MIT License (MIT). Please see License File for more information.